Infrastructure as a Service Raises Host of Legal Concerns

Ensuring legal compliance can be time-consuming—not just because of today’s fast-paced marketplace but also because of the pace at which laws change. The rapid expansion of IaaS (Infrastructure as a Service) makes this even more challenging, because businesses are managing increasing quantities of data that they must ensure as being private.

In many respects, the expansion of IaaS, state laws, and federal laws have created an entangling web of regulations that businesses must navigate—and many are not doing so successfully.

The necessity of resources

Recently, Keith Moulsdale, who is a partner with Whiteford, Taylor, and Preston, spoke about this trend. His firm’s specialty is cyber security; specifically, he ensures that that businesses remain legally compliant in the realm of cloud computing and wide-scale data storage.

According to Moulsdale, one of the greatest challenges is that smaller companies, non-profits, and trade associations often don’t have the resources or knowledge to remain compliant with the laws. As a result, many are unwittingly exposing their customer’s personal information to thieves eager to steal it.

Conversely, he said that larger companies have sufficient resources and take proactive measures to protect their customer’s information and remain compliant. One example of this is the Target consumer data breach last year, which highlighted the obligations placed upon a large company when such a data breach occurs. In that case, liability for both Target and their vendors is expected to exceed $18 billion. This is still dependent on the final outcome of the forensic investigation, the final tally from the attorneys in the case, and any actions that private individuals may take.

Clear differences between state and federal laws

That’s just the financial side of the equation. With the increasing presence of IaaS vendors like Amazon Web Services and other third-party providers, differences between state and federal compliance issues are being raised by business owners across the country.

Massachusetts, for instance, has some of the strictest data security laws in the nation, and the state requires that a company’s obligations flow toward its vendors. As Moulsdale points out, businesses can’t pass the buck to shield themselves from a data breach. This requires a considerable amount of due diligence to ensure that everyone in the chain is in compliance.

If a breach occurs, it can become even more complicated if the breach is off-site. In many cases, off-site providers don’t give direct access to companies. This makes it difficult for them to adequately protect customer data—as the law requires it do.

Jurisdictional issues come into play, too, when data is virtualized and when data is imported into the cloud environment by third-party vendors. It’s imperative for a business to determine where its virtualized data will be located prior to entering into any agreement.

Challenges for small businesses

For smaller businesses, there’s a real possibility that IaaS has been secured by a very basic boilerplate agreement. Often, though, these agreements don’t provide adequate protection for their needs. This can leave their customers exposed with little to no recourse.

Fortunately, the FTC recognizes this and can intervene on behalf of consumers if they feel that a provider is not “acting above board.” The downside is that the FTC won’t step in unless a pattern of dereliction is clear. When the commission does get involved, it will provide several opportunities for a vendor to correct the deficiencies before taking further action.

Ultimately, as IaaS continues to expand, a collision between conflicting compliance laws appears to be inevitable. One of the largest collisions could occur between the United States and the European Union. For the past decade, safe harbor laws held this collision at bay. However, now that vast amounts of data are being transferred, the risk of a collision and legal conflict is very real.